Inside Microsoft’s Digital Crimes Unit

The Digital Crimes Unit (DCU) is a unit within Microsoft where employees track cybercrime in real time. The DCU has an important goal: fight cybercrime.

To some this role may seem surprising. Traditionally, Microsoft has not been known as a “digital security” company.

But if you’re still thinking of Microsoft as that purveyor of Windows and old-fashioned boxed software, it’s time to meet the new Microsoft.

In recent years, Microsoft has expanded into hardware with its Surface line of tablets. In 2013, it acquired phone manufacturer Nokia.

Microsoft also made a huge shift into the world of the cloud with Azure, its cloud platform for businesses to deploy and run their applications.

And it has transitioned its office software into online versions that sync up to offline files, with Office 365.

Microsoft also has emerged as a formidable warrior in the fight against computer viruses, malware, hackings and counterfeit software. It even steps in to fight against online sex abuse of children.

Microsoft’s DCU was formed in 2008. In 2013 it opened a high-tech, restricted-access Cybercrime Center on the Microsoft campus in Redmond, Washington.

Recently, I was at the DCU Cybercrime Center for a tour. Let’s step inside and take a look.

Intelligence Agents and Chattel

The DCU is fighting a war of sorts. When you enter, it feels a bit like a war room. The weapons used in the fight include technology, big data and analysis.

Using sophisticated technology (only a tiny fraction of which I saw on the tour), the DCU is able to tell right down to the street level where malware-infected computers are located. When I was there, DCU officials called up an interactive map identifying several streets right in Microsoft’s back yard where malware was lurking.

The infected computers were not on the Microsoft campus, of course. But they were in the business district of downtown Redmond. Or as the DCU spokesperson said, they were probably in small businesses without sufficient protection for their computer networks. These businesses “almost certainly weren’t aware” their computers were part of a botnet, he added.

To battle those responsible for viruses, botnets, and malware, the DCU also employs another important weapon: the legal system.

On the tour, we discovered that the DCU is staffed with professionals who have a surprising background. Technologists you’d certainly expect. But did you know that data scientists, forensic analysts and lawyers make up much of the team? Yes — about 100 of them.

Why lawyers?

One of the legal means that Microsoft’s DCU uses in its war is a common-law cause of action called “trespass to chattel.”

This has its roots in old English common law. Centuries ago, chattel referred to cattle. That was one of the most valuable forms of property in days gone by.

Today, chattel means any non-real estate property. Your computer and data could therefore be considered chattel, because it is property. The intrusion into it with spam or interfering with it through malware and cybercrime would be a “trespass” against it, if it results in damage.

Sound like a bit of a stretch? In one sense it is, but it’s been effective. And necessary.

The DCU has had to get creative to shut down cybercriminals. The laws on the books haven’t always kept up with today’s inventive cybercrime activity. And so from time to time the DCU’s crime fighters, law enforcement, law makers and judges have had to apply old legal doctrines in new ways.

The DCU pairs up with the FBI, Interpol and industry partners. One of the highest profile successes was in taking down the infamous Rustock network — I’ll tell you more about that in a moment.

A Giant Game of Whack-a-Mole

Meanwhile, Microsoft puts the cost to consumers of malware, viruses, botnets and related cybercrime, at $113 billion. And they are fighting it hard from Redmond.

Viruses and malware are self-explanatory, but what exactly is a botnet? Quite simply, a botnet (a combination of the words “robot” and “network”) is when malware gets on to someone’s computer, allowing a cybercriminal to take control of that computer remotely.

Then that computer is co-opted into a group of other Internet-connected computers which have also been infected.

These computers are then under the control of the criminals operating the botnet (called “bot-herders”), as pictured above.

The combined power of all these computers is then harnessed to do things such as sending spam email, keylogging, or mass identity theft.

Or they can be used to launch a Distributed Denial Of Service attack (DDOS). A DDOS is when a huge number of computers try to access a website or a network at the same time. This activity causes the site to crash repeatedly, or slows it to a crawl.

Working to disrupt cybercriminals’ operations in partnership with law enforcement and industry partners is all in a day’s work for the DCU. When one counterfeiter / malware producer / virus maker gets shut down, another may pop up.

As one of the other tour participants the day I was there remarked, “It’s like a giant game of whack-a-mole.”

Bringing Down the Rustock Botnet

One of the most notorious cybercrime rings was the Rustock botnet, which operated from 2006 to 2011. The anonymous criminals behind it were based in Russia. However, its command-and-control computers were located at hosting companies all over, including Denver, Seattle, Chicago, Columbus and Scranton.

At its height, this botnet was capable of spewing out 30 billion spam messages a day. In fact, according to Symantec as reported by the Wall Street Journal, Rustock was responsible for half of the world’s spam email during 2010.

Microsoft’s DCU eventually succeeded in bringing the botnet down with the help of industry partners and law enforcement. Microsoft even offered a $250,000 reward for information leading to the arrest and conviction of the Rustock criminals.

A quarter million dollars sounds like a lot of money. But compared to the harm, it’s minuscule.

Cybercrime damage involves staggering numbers.

For example, the BBC reported back in 2011 that the FBI was apprehending botnet gangs who were getting away with more than $10 million. That was nothing, though, compared to the “Operation High Roller” botnet. It snared $78 million from financial institutions a year later, in 2012.

Joseph Demarest, Assistant Director, Cyber Division of the FBI testified in the Senate in July of 2014 that “approximately 500 million computers are infected globally each year, translating into 18 victims per second.” Cybercrime, he testified, “caused over $9 billion in losses to U.S. victims and over $110 billion in losses globally.”

Software, Drugs and Rock & Roll

One group which found the allure of the malware and botnet trade too enticing to pass up is the Mexican drug cartel “La Familia.”

In addition to kidnapping, drug dealing and murder, the cartel got into the exotic business of making counterfeit software. Here’s how it works:

This software is often intentionally infected with malware, then sold on the black market.

Let’s say your child buys a bootleg game, comes home and installs it on the home network. Congratulations! Your home network may now be part of a botnet.

And because you also work from a home office, voila — the infection just spread to your business.

According to DCU representative Jerome Stewart, sometimes people unknowingly buy counterfeit software thinking it is legitimate. The first clue is when the computer starts acting up or the software doesn’t work. The person calls in for support, and reads off the serial number — only to discover it’s not legitimate software.

Such customer support reports are actually one way that Microsoft tracks malware activity.

What makes La Familia stand out from other criminal groups is their utter brazenness. They openly advertise their involvement. They stamp their software with their own logo — the letters FMM (Familia Morelia Michoacana). See the image above of the Microsoft DCU display about La Familia.

In a way, you could consider this a “double dip.” They sell you a cheap knock-off software program, and then take control of your computer for cybercrime to boot!

For the DCU, the work never stops. One outgrowth is that Microsoft has gotten involved in cyber security at the individual computer level. The company now includes malware protection, called Windows Defender, in every Windows 8 and up operating system. (Microsoft has a free cyber security resources center for consumers and small businesses.)

Meanwhile, watch the accompanying video for more about the DCU’s work, based on some of the images from my visit to the DCU.

Staff writer Mark O’Neill assisted in the preparation of this report and video. At the time of this writing, Anita Campbell is participating in the Microsoft Small Business Ambassador program.